NordVPN, the virtual private network provider, today confirmed it was hacked through an expired, exposed, and outdated internal private key. VPN providers are becoming significantly popular due to providing security and are used frequently by users in hostile environments.
So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys… pic.twitter.com/TOap6NyvNy
— undefined (@hexdefined) October 20, 2019
Hackers gained access to the system at NordVPN that contained this, and at least one other sensitive encryption key. That’s bad, but history has shown us that given enough time and resources, hackers can often find their way into high-value targets: breaches such as this have happened in 2019 more times than I can count. However, a defense-in-depth strategy could have at least prevented the hackers from stealing the private keys.
What you think is your perimeter, is not your perimeter — it’s a whole lot bigger than you think. Nobody operates in or as a self-contained system, everyone is leveraging a litany of other web assets whether that’s data servers, third party plugins/addons, WordPress hosts, or even just run-of-the-mill AWS or Azure resources.
Everyone lives in a complicated state of a billion dependencies, and each one of these further extends a given organization’s attack surface. And with this, oftentimes, companies are left unaware of their full exposure/footprint, and thus cannot protect it.
To help protect one’s ever-changing attack surfaces and landscape, I recommend implementing an open scope bounty program where researchers can report vulnerabilities- even if it’s something as simple as exposed keys on a Pastebin blob. The important thing here is offering cash incentives to ensure that there’s a driver for individuals to report these vulnerabilities, rather than leaving them in the open for someone else to deal with. Ostensibly, a number of other people saw these keys on the message board where they were posted, but it appears that nobody had the motivation to report them immediately. Offering incentives to researchers (or even bystanders who witness these things) to report things like this is an effective and important piece in making sure that any organization is a little more secure in the wild.